Merge pull request #5 from bryopsida/add-auto-scaling

Add auto scaling
bryopsida · Sep 21, 2022 · 64b46a1 · 64b46a1
2 parents 46fb18f + 76ad2fd
commit 64b46a1
Show file tree

Hide file tree

Showing 8 changed files with 130 additions and 22 deletions.
diff --git a/helm/wireguard/Chart.yaml b/helm/wireguard/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: wireguard
 description: A Helm chart for managing a wireguard vpn in kubernetes
 type: application
-version: 0.2.0
+version: 0.3.0
 appVersion: "0.0.0"
 maintainers:
   - name: bryopsida
diff --git a/helm/wireguard/README.md b/helm/wireguard/README.md
@@ -1,6 +1,6 @@
 # wireguard
 
-![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square)
+![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square)
 
 A Helm chart for managing a wireguard vpn in kubernetes
 
@@ -14,9 +14,23 @@ A Helm chart for managing a wireguard vpn in kubernetes
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| autoscaling.enabled | bool | `true` |  |
+| autoscaling.maxReplicas | int | `10` |  |
+| autoscaling.minReplicas | int | `3` |  |
+| autoscaling.targetCPUUtilizationPercentage | int | `75` |  |
+| deploymentStrategy.rollingUpdate.maxSurge | int | `1` |  |
+| deploymentStrategy.rollingUpdate.maxUnavailable | int | `0` |  |
+| deploymentStrategy.type | string | `"RollingUpdate"` |  |
+| disruptionBudget.enabled | bool | `true` |  |
+| disruptionBudget.minAvailable | int | `2` |  |
 | image.pullPolicy | string | `"Always"` |  |
 | image.repository | string | `"ghcr.io/bryopsida/wireguard"` |  |
-| image.tag | string | `"latest"` |  |
+| image.tag | string | `"main"` |  |
+| replicaCount | int | `3` |  |
+| resources.limits.cpu | string | `"100m"` |  |
+| resources.limits.memory | string | `"256Mi"` |  |
+| resources.requests.cpu | string | `"100m"` |  |
+| resources.requests.memory | string | `"256Mi"` |  |
 | secretName | string | `nil` | Name of a secret with a wireguard private key on key privatekey, if not provided on first install a hook generates one. |
 | service.enabled | bool | `true` | Whether the service will be created or not |
 | service.port | int | `51280` | Service port, default is 51280 UDP |

diff --git a/helm/wireguard/templates/deployment.yaml b/helm/wireguard/templates/deployment.yaml
@@ -1,39 +1,71 @@
+{{- define "execprobe" -}}
+exec:
+  command: 
+  - /bin/sh
+  - -c
+  - 'ip link show dev wg0 | grep -s up'
+{{- end -}}
+{{- define "core.securitycontext" -}}
+capabilities:
+  add:
+    - NET_ADMIN
+privileged: true
+{{- end -}}
+{{- define "wg.securitycontext" -}}
+{{ include "core.securitycontext" . }}
+runAsNonRoot: true
+runAsUser: 1000
+readOnlyRootFilesystem: true
+{{- end -}}
+{{- define "init.securitycontext" -}}
+{{ include "core.securitycontext" . }}
+runAsNonRoot: false
+{{- end -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: "{{ .Release.Name }}-wireguard"
   labels:
     role: vpn
 spec:
-  replicas: 1
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
   selector:
     matchLabels:
       app: "{{ .Release.Name }}-wireguard"
+  strategy: {{ .Values.deploymentStrategy | toYaml | nindent 4 }}
   template:
     metadata:
       labels:
         app: "{{ .Release.Name }}-wireguard"
         role: vpn
     spec:
+      serviceAccountName: {{ .Release.Name }}-sa
+      automountServiceAccountToken: false
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: "OnRootMismatch"
+        runAsNonRoot: true
       {{- if .Values.image.pullSecret }}
       imagePullSecrets:
         - name: "{{ .Values.image.pullSecret }}"
       {{- end }}
       initContainers:
         - name: sysctls
-          image: busybox
+          image: busybox:stable
           command:
           - sh
           - -c
           - sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1
-          securityContext:
-            capabilities:
-              add:
-                - NET_ADMIN
-            privileged: true
+          securityContext: {{ include "init.securitycontext" . | nindent 12 }}
+          resources:
+            requests:
+              memory: 64Mi
+              cpu: "100m"
+            limits:
+              memory: 64Mi
+              cpu: "100m"
       containers:
         - name: wireguard
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -45,25 +77,29 @@ spec:
           env:
           - name: LOG_LEVEL
             value: info
-          securityContext:
-            capabilities:
-              add:
-                - NET_ADMIN
-            privileged: true
-          resources:
-            requests:
-              memory: 64Mi
-              cpu: "100m"
-            limits:
-              memory: 256Mi
+          securityContext: {{ include "wg.securitycontext" . | nindent 12 }}
+          resources: {{ .Values.resources | toYaml | nindent 12 }}
+          startupProbe: {{ include "execprobe" . | nindent 12 }}
+            periodSeconds: 2
+            failureThreshold: 15
+          readinessProbe: {{ include "execprobe" . | nindent 12 }}
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe: {{ include "execprobe" . | nindent 12 }}
+            initialDelaySeconds: 20
+            periodSeconds: 10
           volumeMounts:
+          - name: run
+            mountPath: /run
           - name: config
             mountPath: /etc/wireguard/wg0.conf
             subPath: wg0.conf
           - name: privatekey
             mountPath: /etc/wireguard/privatekey
             subPath: privatekey
       volumes:
+      - name: run
+        emptyDir: {}
       - name: config
         secret:
           secretName: "{{ .Release.Name }}-wg-config"

diff --git a/helm/wireguard/templates/hpa.yaml b/helm/wireguard/templates/hpa.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ .Release.Name }}-wireguard
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ .Release.Name }}-wireguard
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  targetCPUUtilizationPercentage: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+{{- end }}
diff --git a/helm/wireguard/templates/pdb.yaml b/helm/wireguard/templates/pdb.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.disruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ .Release.Name }}-pdb
+spec:
+  minAvailable: {{ .Values.disruptionBudget.minAvailable }}
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}-wireguard"
+{{- end }}
diff --git a/helm/wireguard/templates/privatekey-gen-job.yaml b/helm/wireguard/templates/privatekey-gen-job.yaml
@@ -116,6 +116,13 @@ spec:
         name: keygen-job
         image: "ghcr.io/curium-rocks/wg-kubectl:latest"
         imagePullPolicy: Always
+        resources:
+          requests:
+            memory: 64Mi
+            cpu: "100m"
+          limits:
+            memory: 64Mi
+            cpu: "100m"
         env:
           - name: SECRET_NAME
             value: "{{ .Release.Name }}-wg-generated"

diff --git a/helm/wireguard/templates/sa.yaml b/helm/wireguard/templates/sa.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-sa
+automountServiceAccountToken: false
diff --git a/helm/wireguard/values.yaml b/helm/wireguard/values.yaml
@@ -1,6 +1,6 @@
 image:
   repository: ghcr.io/bryopsida/wireguard
-  tag: latest
+  tag: main
   pullPolicy: Always
 wireguard:
   #  -- Subnet for your VPN, take care not to clash with cluster POD cidr
@@ -16,3 +16,24 @@ service:
   port: 51280
 # -- Name of a secret with a wireguard private key on key privatekey, if not provided on first install a hook generates one.
 secretName: ~
+replicaCount: 3
+resources:
+  requests:
+    memory: 256Mi
+    cpu: "100m"
+  limits:
+    memory: 256Mi
+    cpu: "100m"
+deploymentStrategy:
+  type: 'RollingUpdate'
+  rollingUpdate:
+    maxUnavailable: 0
+    maxSurge: 1
+disruptionBudget:
+  enabled: true
+  minAvailable: 2
+autoscaling:
+  enabled: true
+  minReplicas: 3
+  maxReplicas: 10
+  targetCPUUtilizationPercentage: 75